Netgate pfSense 2.4.4 Patch 2

An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.

Published: 2021-07-12T15:39:07.000Z
Updated: 2024-08-04T14:08:30.664Z

A Stored Cross-Site Scripting (XSS) vulnerability was found in status_filter_reload.php, a page in the pfSense software WebGUI, on Netgate pfSense version 2.4.4-p2 and earlier. The page did not encode output from the filter reload process, and a stored XSS was possible via the descr (description) parameter on NAT rules.

Published: 2021-07-12T15:53:46.000Z
Updated: 2024-08-04T14:08:30.629Z

An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents.

Published: 2019-09-26T17:38:42.000Z
Updated: 2024-08-05T01:24:48.530Z

An XSS issue was discovered in pfSense through 2.4.4-p3. In services_captiveportal_mac.php, the username and delmac parameters are displayed without sanitization.

Published: 2019-09-26T17:38:53.000Z
Updated: 2024-08-05T01:24:48.605Z

pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.

Published: 2019-09-25T15:45:56.000Z
Updated: 2024-08-05T01:17:41.164Z

In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.

Published: 2019-06-25T10:55:17.000Z
Updated: 2024-08-04T23:32:55.584Z

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.

Published: 2019-06-03T02:28:08.000Z
Updated: 2024-08-04T23:24:38.689Z

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.

Published: 2019-06-03T02:27:47.000Z
Updated: 2024-08-04T23:24:39.165Z

Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.

Published: 2019-05-20T21:26:03.000Z
Updated: 2024-08-04T23:03:32.805Z